CafePress security incident 2019-02-19

[Ath]

Today, September 25th, 2019, I received an e-mail from CafePress, the supplier of, among other stuff, the NANY mugs, stating they have had a security incident on February 19th, 2019, where customer names, addresses, e-mail addresses and account-passwords have been stolen from a database. It appears they first published this story on September 5th, 2019.
I took a screenshot from their website where the whole story is explained for as far as they know.

Link to the page at cafepress.co.uk

[mouser]

 

[Deozaan]

I tried to login to change my password and they say I don't have an account. I suppose that would be why I didn't get an email notification about this.

Now I'm wondering if my account was deleted due to inactivity or if I manually requested it to be deleted long enough ago that I forgot I had done that.

[anandcoral]

As far as I have read, hackers are always trying to break in one and all servers, sadly.

So we just have to be cautious and use different passwords for all websites ; and, most important, only give information which is needed for using the website.

Other then that we do not have any hope or control on this big internet world.

Regards,

Anand

[Stoic Joker]

Shit, LatestHackingNews.com had an article about this back in August - But I didn't make the connection back then.

Sorry Mouser.

[mouser]

Eh, these things happen.  I'm not stressed over it, just normal level irritation with such things

[mouser]

I think the most important things to take away from these occasional security incidents are:
1. Remember to use a different password on every website
2. Keep separate the email address you use for important personal conversation and the email address you use to sign up to random unimportant websites.
3. Have an alert set on your credit cards so you get a notification after EVERY purchase.  I think this is an item many people don't bother to set up, but I find it invaluable.

[wraith808]

2. Keep separate the email address you use for important personal conversation and the email address you use to sign up to random unimportant websites.

-mouser (October 02, 2019, 05:49 AM)

A call out again for a feature in gmail that I make extensive use of- +addressing.  email+<meaningfulsuffix>@gmail.com.  I use those for signups everywhere, and I've been able to blacklist a few sites from my interest/attention by the e-mail addresses in spam.

[Deozaan]

I think the most important things to take away from these occasional security incidents are:
1. Remember to use a different password on every website
2. Keep separate the email address you use for important personal conversation and the email address you use to sign up to random unimportant websites.
3. Have an alert set on your credit cards so you get a notification after EVERY purchase.  I think this is an item many people don't bother to set up, but I find it invaluable.

-mouser (October 02, 2019, 05:49 AM)

4.a. Whenever possible, refuse to give any personal information to any company -- too many have proven they will not be good stewards of the information you've given them.
4.b. If a company/site/service requires you to give them information, falsify as much of it as you (legally) can while still using their service. Obviously Amazon needs my postal address to ship stuff to me, but there's no reason why an instant messaging app needs to know e.g. my phone number or postal address.

[Edvard]

5.  Your password is only as secure as the computer it's sitting on.  "Password123" is functionally the same as a 256-bit SHA1 hash of Calvin Coolidge's autobiography; Chapter 7, if the service in question stores it in a plain text file. (Yes, this does happen)